From b8a5ade2736a07b80c4c9a65dec1fe16c3df13aa Mon Sep 17 00:00:00 2001 From: Minecon724 Date: Sat, 12 Apr 2025 10:53:39 +0200 Subject: [PATCH] Update some stuff --- .env | 6 ++++++ README.md | 24 ++++++++---------------- init.sh | 14 ++++++++++++++ issue_cert.sh | 32 ++++++++++++++++++++++++++++++++ nginx/conf.d/a-vars.conf.tmpl | 7 +++++++ nginx/conf.d/companion.conf | 7 ------- nginx/nginx.conf | 2 +- reset.sh | 18 ++++++++++++++++++ 8 files changed, 86 insertions(+), 24 deletions(-) create mode 100755 init.sh create mode 100755 issue_cert.sh create mode 100644 nginx/conf.d/a-vars.conf.tmpl diff --git a/.env b/.env index fabe137..82315ec 100644 --- a/.env +++ b/.env @@ -7,3 +7,9 @@ IPV6_SUBNET=2001:db8::/32 # IPv6 brackets are not needed! NGINX_IPV4=203.0.113.1 NGINX_IPV6=2001:db8::1 + +# The hostname under which companion (well, nginx) is served +DOMAIN=example.com + +# Note that you still need to uncomment the lines in docker-compose.yml +GLUETUN=false diff --git a/README.md b/README.md index e3e9d0a..10e8475 100644 --- a/README.md +++ b/README.md @@ -1,27 +1,19 @@ -1. `git clone --recursive` +1. `./init.sh` 2. Fill in `.env` -3. How do you want to connect to YouTube? +3. Set the companion secret key in `config.toml` +4. How do you want to connect to YouTube? - If you want to rotate IPv6, consult `.env` - This rotates your ipv6 to bypass ratelimits. It's only effective with subnets larger than /64, the larger the better. - - You must also install `pyroute2`. It's on pypi or `apt install python3-pyroute2` on debian - - If you want to use gluetun, uncomment everything below `gluetun:` and the two lines `network_mode` and `depends_on` + - If you want to use gluetun: + - uncomment everything below `gluetun:` and the two lines `network_mode` and `depends_on` - Put `wg0.conf` in the root directory - If something else, you should know what you're doing -4. Set the companion secret key in `config.toml` -5. cd to `nginx/` and: - - `openssl dhparam -out dhparam.pem 3072` (takes up to a few minutes, you can do other steps in the meantime) - - `openssl req -new -x509 -days 365 -noenc -out snakeoil.pem -keyout snakeoil.key` (keep pressing Enter) - - Edit `conf.d/companion.conf` -6. cd back and `./reset.sh` -7. [Issue a certificate, steps here](/Minecon724/dream-setup/src/branch/master/CERTIFICATE.md) -8. **Schedule `reset.sh`**. This rotates your IP, updates containers, and it's generally a good practice to auto restart. \ +5. `./reset.sh` +6. `./issue_cert.sh` +7. **Schedule `reset.sh`**. This rotates your IP, updates containers, and it's generally a good practice to auto restart. \ This restarts every hour:00. You can change it, if you want to. / If you have multiple companions, you should make them restart at different times. ``` @reboot sleep 30s && cd /opt/invidious-companion/reset.sh 0 * * * * cd /opt/invidious-companion/reset.sh ``` - -**TODOs**: -- Automate all (well, almost) above -- `reset.sh` only when companion up, currently it brings up no matter what diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..5e4f1df --- /dev/null +++ b/init.sh @@ -0,0 +1,14 @@ +#!/bin/bash +cd "$(dirname "$0")" +. .env + +git submodule update --init + +echo "Please wait, this will take a few minutes" +openssl dhparam -out nginx/dhparam.pem 3072 +openssl req -new -x509 -days 365 -noenc -out nginx/snakeoil.pem -keyout nginx/snakeoil.key -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd" + +apt install -y python3-pyroute2 +if [ $? -ne 0 ]; then + echo -e "\033[0;31mCouldn't install pyroute2. You must install it manually.\033[0m" +fi diff --git a/issue_cert.sh b/issue_cert.sh new file mode 100755 index 0000000..74533fc --- /dev/null +++ b/issue_cert.sh @@ -0,0 +1,32 @@ +#!/bin/bash +cd "$(dirname "$0")" +. .env + +if [ -z "$DOMAIN" ]; then + echo "DOMAIN not set" + exit 1 +fi + +if (( $(docker compose ps nginx | wc -l) < 2 )); then + echo "Nginx is not running. Did you ./reset.sh?" + exit 1 +fi + +if (( $(docker compose ps acme | wc -l) < 2 )); then + echo "acme.sh is not running. Did you ./reset.sh?" + exit 1 +fi + + +CERT_DIR=/etc/ssl/$DOMAIN + +docker compose exec acme mkdir $CERT_DIR + +docker compose exec acme openssl req -new -x509 -days 365 -noenc -out $CERT_DIR/fullchain.pem -keyout $CERT_DIR/key.pem -subj "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd" +docker compose exec nginx nginx -s reload + +docker compose exec acme --issue --server letsencrypt -d $DOMAIN --webroot /var/www/html/$DOMAIN +docker compose exec acme --install-cert -d $DOMAIN --key-file $CERT_DIR/key.pem --fullchain-file $CERT_DIR/fullchain.pem +docker compose exec nginx nginx -s reload + +echo "Done, certificate installed" diff --git a/nginx/conf.d/a-vars.conf.tmpl b/nginx/conf.d/a-vars.conf.tmpl new file mode 100644 index 0000000..327308a --- /dev/null +++ b/nginx/conf.d/a-vars.conf.tmpl @@ -0,0 +1,7 @@ +# Do not edit this file + +set $DOMAIN $PDOMAIN + +upstream cu { + server http://$UPST:8282; +} diff --git a/nginx/conf.d/companion.conf b/nginx/conf.d/companion.conf index a2f70f6..d2bb4a1 100644 --- a/nginx/conf.d/companion.conf +++ b/nginx/conf.d/companion.conf @@ -1,10 +1,3 @@ -set $DOMAIN example.com # replace this of course - -upstream cu { - # s/companion/gluetun if using gluetun - server http://companion:8282; -} - server { listen 443 ssl; listen 443 quic; diff --git a/nginx/nginx.conf b/nginx/nginx.conf index ae73824..efcc97d 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -13,7 +13,7 @@ http { default_type application/octet-stream; # Comment those to enable logging - access_log /dev/null main; + access_log /dev/null; error_log /dev/null; # most errors are insignificant server_tokens off; diff --git a/reset.sh b/reset.sh index 381cf24..d43284a 100755 --- a/reset.sh +++ b/reset.sh @@ -2,11 +2,29 @@ cd "$(dirname "$0")" . .env +echo "Updating config" + +if [ "$GLUETUN" = true ]; then + UPST=gluetun +else + UPST=companion +fi + +PDOMAIN=$DOMAIN +envsubst '$PDOMAIN,$UPST' < nginx/conf.d/a-vars.conf.tmpl > nginx/conf.d/a-vars.conf + + if [ -n $IPV6_SUBNET ]; then echo "Rotating IP..." python3 smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range=$IPV6_SUBNET + if [ $? -ne 0 ]; then + echo "Failed to rotate IP, trying again..." + python3 smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range=$IPV6_SUBNET + fi fi +# TODO think about a way to restart only if running + echo "Updating..." docker compose pull